2014-15 Annual Report, part II: Staying dark

The Commissioner's long-lost review of CSE assistance to CSIS under Mandate C and s.16 of the CSIS Act was finally completed last year. (See the final section of my post on last year's report and also this post for background.)

Section 16 is the part of the CSIS Act that enables CSIS to collect foreign intelligence in Canada at the request of either the Minister of Foreign Affairs or the Minister of National Defence. When CSIS gets the go-ahead for such operations, it can call on CSE to help through CSE's Mandate C, which enables it to provide assistance to federal law enforcement and security agencies.

As I commented here, s.16 probably provides the legal basis for the collection of foreign embassy communications in Canada. And whatever monitoring was done at the G8 and G20 summits was probably also authorized through s.16.

Because it takes place in Canada, such monitoring is guaranteed to involve persons in Canada, so it is especially sensitive from the point of view of privacy protection. It was concern about the private communications of Canadians getting monitored during the interception of embassy communications that led former CSE employee Jane Shorten to go public about privacy violations in 1995.

All in all, it's a good topic for the Commissioner to shed some light on.

As I expected last year, however, not much in the way of information content actually makes it through to the Commissioner's long-suffering readers.

For starters, the report is vague about the timeframe covered by the review. One of its goals was to examine "any changes since my office’s last in-depth review," but when that review actually took place is not specified.

It seems likely, however, that the new review extended at least as far back as 2010, the year the G8 and G20 summits were held in Canada.

In 2013 there was much concern expressed about the possibility that CSE (and NSA) had illegally spied on the delegates to those summits. My own view then and now is that, yes, spying took place, but, no, it was not illegal, because this is one of the kinds of activities s.16 was specifically designed to make legal.

Given the level of public and parliamentary concern that was expressed about the legality of CSE's activities during the 2010 summits, you might think that this would be an appropriate occasion for the CSE Commissioner to address that question—at least in general terms.

Or you might think that if you hadn't read a lot of these annual reports.

There is in fact not a word about the summits in the report.

It did, however, provide a generic assurance that

CSE respected the condition contained in section 16 warrants to protect the privacy of Canadians when using intrusive measures, by following CSE policy to destroy all information about Canadians unless the information:
- relates to activities that would constitute a threat to the security of Canada as defined in the CSIS Act;
- could be used in the prevention, investigation or prosecution of an alleged indictable offence; or
- relates to those foreign states, persons or corporations for which the requesting minister has requested assistance, in writing, pursuant to section 16 of the CSIS Act.

The first and, especially, the second condition listed by the Commissioner merit particular attention as neither has any necessary connection to the original purpose of s.16 activities, the collection of foreign intelligence in Canada.

In some cases such collection probably does have a direct connection to foreign intelligence questions. There is reason to believe, for example, that people have been caught trying to sell corporate or national secrets to foreign powers because their communications with the embassies in question were monitored. In other cases, however, Canadian communications collected incidentally might have no connection at all with foreign intelligence.

The rules surrounding the use of such collection ought therefore to be of considerable concern to Canadians.

Sadly, they won't find any help in that respect here. The nature of those rules remains a mystery.

The same level of obscurity applies to most of the s.16 report.

A little bit of information is provided about the evolution of the s.16 process, notably that interdepartmental discussions in 2007 and early 2008 led to (a) the scrapping of the 1987 Tri-Ministerial Memorandum of Understanding between the Minister of Foreign Affairs, the Minister of National Defence and the Solicitor General (now Minister of Public Safety) that had originally governed the s.16 approval process and (b) its replacement by a "new process" agreed between the three ministers. We are also informed that this new process "did not outline the roles and responsibilities of the parties involved."

This leads to a recommendation that "interdepartmental agreements and internal CSE policies be updated in a timely manner to reflect current procedures and practices."

Seven or eight years on, it does seem like there may have been a bit of a timeliness failure in this regard.

There is also a useful affirmation, although somewhat ambiguous, that "Not all section 16 activities may involve warrants or assistance from CSE."

Again, no details are provided, but I take this statement to mean that CSE's support may sometimes include activities such as processing data obtained by CSIS through production orders or other information-sharing processes that don't require warrants—when operating in support of CSIS Level 1 targeting, for example. (Only Level 2 targeting requires a warrant.) Or that CSE may sometimes check its own or allied metadata databases in support of similar CSIS activities.

Of course, these possibilities apply to the full range of Mandate C cooperation, not just to support for s.16 activities. It is no coincidence that CSE statements about Mandate C usually have a qualifying phrase like the one here: "to request assistance from CSE, agencies must have the proper legal authority, such as a warrant from a court." Such as.

Although he couldn't tell us much about them, overall the Commissioner was satisfied with the s.16 activities he reviewed: "I concluded that CSE conducted its activities in accordance with the law and ministerial direction, and included measures to protect the privacy of Canadians."

He did, however, make four recommendations: "two related to the updating or creation of governing process documentation; one on the updating or creation of interdepartmental memoranda of understanding between CSIS and CSE, where applicable; and one that CSE should develop caveats to attach to specific operational material that may be shared with Second Party partners to ensure that the material would not be used without the express authorization of CSE."

No, I don't know what that last one means either.

Data about metadata

Metadata reviews are a regular feature of the CSE Commissioner's annual reports, but past reviews have mostly looked at specific metadata activities; this year's review was the beginning of "an ongoing comprehensive review of CSE’s metadata activities" that will examine the agency’s "metadata activities on a broad scale, to assess changes to the activities, and to determine whether they comply with the law and whether, in conducting them, CSE protects the privacy of Canadians."

In 2014-15, the review focused on metadata use in the foreign signals intelligence (Mandate A) context. Next year, the Commissioner will report on CSE’s use of metadata in an IT security (Mandate B) context, on various issues identified in the Commissioner's classified 2014 report A Review of the Activities of the CSEC Office of Counter Terrorism, and on "other metadata activities." Presumably the last two bits cover CSE's support to law enforcement and security agency (Mandate C) activities.

In the meantime, the Commissioner noted that some of the metadata activities discussed in that 2014 classified report have now been halted and the agency is "consequently updating its policy framework."

Sounds like something dodgy turned up there.

Getting back to this year's report, predictably little is said concerning the actual nature and scope of CSE's Mandate A metadata activities. However, the Commissioner does report both that "metadata collection and analysis have evolved considerably since the last in-depth review" and that "the Canadian legal landscape has also changed since my office last conducted an in-depth review of CSE’s collection and use of metadata."

Two recent Supreme Court decisions in particular are cited, Wakeling and Spencer.

In Wakeling v. United States of America, 2014 SCC 72, the main issue raised was whether federal legislation authorizing the sharing of lawfully obtained wiretap information between Canadian and foreign law enforcement agencies is constitutional. The Court concluded that a disclosure will be reasonable under section 8 of the Canadian Charter of Rights and Freedoms if it passes a three-part test: that the disclosure is authorized by law, that the law authorizing the disclosure is reasonable, and that the disclosure is carried out in a reasonable manner. In R. v. Spencer, 2014 SCC 43, the Supreme Court ruled on a person’s reasonable expectation of privacy within the context of the use of the Internet. The Court found that, depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against [sic] section 8 of the Charter.

This is all very interesting, but of course what we really want to know is what all this means for CSE's metadata activities.

If the Commissioner has any specific thoughts in that regard he's not sharing them with us.

The Commissioner does report that the existing ministerial directive on metadata, issued in 2011, "lacks clarity regarding the sharing of certain types of metadata with Five Eyes partners, as well as other aspects of CSE’s metadata activities."

For example, it does not define certain key terms, and fails to differentiate between other terms that, while similar in definition, are implicitly distinct concepts. The ministerial directive lacks specificity regarding the application of privacy provisions to certain processes. Furthermore, the directive does not provide clear guidance regarding a specific metadata activity that is routinely undertaken by CSE in the context of its foreign signals intelligence mission. It is also unclear whether certain language in the directive is still applicable to CSE’s use of metadata in a foreign signals intelligence context. For these reasons, I recommended that CSE seek an updated ministerial directive that provides clear guidance related to the collection, use and disclosure of metadata in a foreign signals intelligence context.

Am I the only one starting to get the distinct feeling that CSE activities don't follow the rules written in CSE policy documents as much as determine what those rules will be when they are eventually written, and re-written, after the fact? The policy people always seem to be trying—and failing—to keep up with actual, existing practice. I thought the practices were supposed to conform to the policies.

It was while the Commissioner was conducting this review that "CSE discovered on its own that certain metadata was not being minimized properly" and thus took it upon itself to suspend the sharing of "certain types of metadata" with its Five Eyes partners. The Commissioner subsequently found that CSE, in originally permitting the unminimized metadata to go out, had failed to comply with the law—the first time any CSE Commissioner has made such a finding. (Discussed further here.)

The Commissioner's review also determined that "CSE’s system for minimizing certain types of metadata was decentralized and lacked appropriate control and prioritization. CSE also lacked a proper record-keeping process."

Suspicious minds might wonder whether CSE or at least elements thereof weren't well aware of the privacy deficiencies of their systems long before the Commissioner came calling, but chose not to reveal the problem until it became clear he was about to discover it for himself.

But surely that kind of duplicity would show up in the records that the Commissioner was able to examine.

If they were properly kept.

Personally, I prefer to think sunny thoughts.

IT Security review

As noted in my previous set of comments, the 2014-15 report added a new recommendation for amendments to the National Defence Act.

Accompanying that recommendation was a hedged assessment of the IT Security, or cyber defence, program's compliance with the law:

CSE’s IT security activities were appropriately authorized and conducted in accordance with the law as interpreted by Justice Canada and in accordance with ministerial authorizations and ministerial direction. [emphasis added]

Commissioners have been applying the same kind of hedge to the Ministerial Authorization regime for over a decade now.

Despite this qualified seal of approval, the Commissioner did identify some problems with the IT Security program's handling of private communications.

My office uncovered several private communications that had not been included in the counts. Furthermore, our questioning uncovered incidents that were incorrectly identified, either indicating a private communication when such was not the case or vice versa.... These human errors were coupled with system errors that CSE had to pinpoint, delaying the review.

The Commissioner also found that "policies and procedures relating to the retention of private communications were not followed in some instances."

Reading these comments, you can almost feel the Commissioner's newly active hammer poised to strike again.

But no. The Commissioner has a surprise in store, and it's for us.

It turns out that not all private communications are really private communications!

Based on the legal opinions I have received, and with which I agree, a communication containing nothing more than malicious code and/or an element of social engineering sent to a Government of Canada computer system or network in order to compromise it is not a private communication as defined by the Criminal Code. Accordingly, CSE may not need a ministerial authorization to intercept such communications during the course of performing part (b) of its mandate. Therefore, CSE may not need to report to the Minister the interception of such communications.

Whoa, that arrived like a drone strike from the blue.

I therefore recommended that CSE reporting to the Minister on private communications unintentionally intercepted under ministerial authorizations should highlight the important differences between one-end-in-Canada e-mails intercepted under cyber defence operations and private communications intercepted under foreign signals intelligence activities, including the lower expectation of privacy attached to the private communications intercepted under cyber defence operations.

I guess I see the point here, especially in the case of one-end-in-Canada e-mails, with the Canadian end presumably being the intended victim in some government department. The Canadians involved are certainly likely to see such communications as unwanted and deserving of no special protections.

But what exactly is the legal principle here? And how far can it extend?

If some scammer phones me at home from some foreign-based boiler room, is that phone conversation no longer to be considered a private communication? What if it's a terrible deal he's offering, but nothing about it is technically illegal? Is someone going to assess the legality of what was offered before deciding whether the conversation is a private communication?

I'm sure no one is suggesting anything remotely like that.

But I do wonder how you operationalize such a distinction. Getting back to the IT Security question, what if the communication containing "an element of social engineering" takes the form of a phone call from someone purporting to be a public service colleague? Is that phone call not a private communication? What if a malicious link has been inserted into an e-mail that quotes an earlier e-mail containing actual content? Is that not a private communication?

The Commissioner's recommendation seems somewhat less radical than his discussion of this question. While the discussion asserts that some kinds of e-mails are not private communications at all, the recommendation still refers to them as private communications and suggests only that CSE "highlight the important differences" between such communications and the private communications intercepted during SIGINT operations when reporting them to the Minister. However, it does specifically assert a "lower expectation of privacy" for those e-mails, implying that a legal distinction may exist.

As I reported last year, "the total number of private communications used or retained by CSE in the course of cyber defence operations was between 1000 and 3996 in 2012-13, a number that dwarfs the 66 used or retained in the course of its foreign intelligence operations around the same time."

I can understand the Commissioner's motivation for wanting to put that larger number into some sort of context—and to emphasize what I would agree are the considerably greater privacy implications of the communications collected by the SIGINT program.

But does that really require calling the definition of private communication into question?

CNE approval process improved?

Back in September, I reported on the processes used by CSE to approve certain types of [redacted] operations, which I concluded were probably related to Computer Network Exploitation (CNE) activities.

According to CSE policy document OPS-3-1, for some kinds of operations the Chief "must consult with the Minister before approving any particularly sensitive [CNE?] operations or those that carry significant risk". Certain other kinds of operations, it stated, must be personally approved by the Minister, "if required due to sensitivity or significant risk", or by the Chief, "if appropriate".

The decision as to which operations required ministerial approval and which it was appropriate for the Chief to approve was apparently left to CSE, with little or no specific guidance provided.

What I didn't realize in September was that these policies were probably what the Commissioner was referring to in his 2013-14 report, which stated in its typically unilluminating way that the Commissioner had

examined changes to CSEC operational policies relating to the conduct of the activities under foreign signals intelligence ministerial authorizations. To ensure proper accountability for certain sensitive activities, I recommended that CSEC promulgate detailed guidance regarding the additional approvals required for these particular activities.

This year's report provides an update on that recommendation: "CSE informed my office that it has improved policy in order to respond to my recommendation that CSE promulgate detailed guidance regarding additional approvals required for certain sensitive activities."

There you have it, folks: Policy has been improved.

C-51 and beyond

Back when the Harper government was truculently ignoring the legions of people calling for changes to Bill C-51, the CSE Commissioner was one of the many people ignored.

The Commissioner's 2014-15 report reiterates the gentle suggestion that the Commissioner made last March that "an explicit authority for the review bodies to cooperate and share operational information would strengthen review capacity and effectiveness, which is that much more critical in the context of increasing cooperation and sharing of information among and with intelligence and security agencies."

That March letter also repeated the Commissioners' long-standing call for clarifying amendments to the National Defence Act.

Nothing of course was done.

As the Liberals prepare to revamp C-51 and introduce other changes to intelligence and security oversight, let's hope that parliament pays more attention this time.

And speaking of hope, there has been a lot of speculation about, but very little authoritative explanation of, the implications of the new powers granted by C-51 for CSE's activities. I was rather hoping that the Commissioner, being our law guy on the inside, might be able to clarify some of that for us, but no such luck:

As for the potential effect of this legislation on CSE, we cannot know at this time precisely how its measures will affect the work of CSE.

[Update 20 February 2016: Here's one example of how those powers may have changed. Warrants would still be required for more intrusive activities, but the range of that kind of activity has also presumably been expanded. Depending on how far "disruption" warrants may go, this could provide a basis for a wide range of CSE Computer Network Attack (CNA) activities.]

Transparency

There's a whole lot we cannot know in this business, but this latest report, 67 pages long, does continue the long-term trend towards greater transparency in reporting by CSE Commissioners, providing both more information and, in some cases, greater clarity and detail in the report's explanations.

As the Commissioner comments,

Part of my role is to inform Parliament and Canadians about CSE’s activities, and I believe it is important to support my findings with as much explanation as possible, within the restrictions of the Security of Information Act. As an independent and external body, my office can challenge, and has challenged, CSE to justify why certain information needs to be considered classified. Indeed, last year I included statistics related to unintentionally intercepted private communications collected through CSE’s foreign signals intelligence activities; this year’s report contains more statistics. I see these as important steps in helping to demystify the work of CSE and contributing to better-informed public discussion.

The inclusion of these statistics does represent an important, albeit still small, step forward.

But we have a long way to go to catch up to our southern neighbour, whose NSA is CSE's closest ally. The U.S. Privacy and Civil Liberties Oversight Board (PCLOB) recently reported, for example, that NSA will soon be publicly reporting "the number of disseminated NSA intelligence reports that refer to a U.S. person identity and the number of U.S. person identities released by the NSA in response to requests for identities that were not referred to by name or title in the original reporting." They also plan to report "the number of metadata queries that use a U.S. person identifier, and also the number of U.S. person identifiers approved for content queries."

And then there's the highly detailed reporting that PCLOB itself has done on NSA policies and programs, notably its reports on "Section 215" and "Section 702" collection.

CSE certainly has secrets that it needs to keep, but the idea that it needs to be significantly more secretive than NSA is hard to accept. I wonder if CSE seriously tries to make that claim. Why can't we treat the U.S. level of openness as a floor below which there is no reason to sink in other than exceptional circumstances?

And let's not consider that floor a ceiling. Why can't we be the ones who set the example for openness once in a while?

A little more detail in some of the Commissioner's assessments of the record of his own office would also be useful.

In this year's report, the Commissioner noted that

Since 1997, my predecessors and I have submitted 90 classified review reports to the Minister of National Defence who is responsible for CSE. In total, the reports contained 156 recommendations. CSE has accepted and implemented or is working to address 93 percent (145) of these recommendations, including all eight recommendations this year.

The report adds that CSE is still working on 15 of the recommendations, eight from this year and seven from earlier years, which indicates that 130 are considered implemented.

Judging from material recently obtained by the Globe and Mail through an Access to Information request, one of the recommendations still being implemented is the Commissioner's July 2013 recommendation that the Minister issue a new Ministerial Directive on information-sharing with the Second Parties, and that this directive be "informed by a risk assessment examining, in-depth, the potential impact of respective national differences in legal and policy authorities."

As of 18 December 2015, two and a half years after the recommendation was made, CSE had managed to produce a draft of the risk assessment.

What about the 11 recommendations rejected by CSE or otherwise not acted upon? Some were probably rendered moot by subsequent developments, but which ones? Some may have been withdrawn by the Commissioner, but which ones? Some are undoubtedly still considered relevant. Which ones? What do they recommend? How would the Commissioner rank them in terms of importance?

Are the Commissioners' long-standing recommendations for National Defence Act amendments counted among the 11 on which nothing has been done, or does the fact that the government once promised to act on them mean they are counted among the recommendations that CSE is "working on"? The new amendment recommendation is one of the eight from this year that the Commissioner counts as being worked on.

How many of the previously accepted recommendations had to be repeated before action was taken?

How many were accepted in full and how many only in part?

The report also notes that "CSE also took action on three of the five recommendations from my review of CSE’s 2012–2013 foreign signals intelligence ministerial authorizations."

Does this mean that two of the Commissioner's recommendations were rejected in that case or just that action is still pending? If the former, this single review was responsible for nearly 20% of all spiked recommendations to date. What's the story there?

Some poor drudge such as myself might be able to go through the 19 annual reports that CSE Commissioners have issued to date and come up with at least partial answers to some of these questions, but only the Commissioner's office has the information to answer them in any satisfactory manner.

Also, why doesn't the Commissioner's website list the classified reports on specific reviews that he submits to the Minister of National Defence during the course of the year as soon as they are submitted instead of waiting for the tabling of his annual report? (And if you're reading this, Commissioner Plouffe, would you please go back to listing the actual dates of those reports! Some of us care about that kind of information!)

An important part of the painful process of dragging information out of the government is submitting Access to Information requests for those classified reports. The material that eventually gets released is ridiculously redacted, of course, but there is still useful material in many of those documents. If the reports were listed as soon as they were submitted, Access requests could begin immediately instead of having to wait for the much later annual report to come out. This year (which, granted, is an extraordinary case), as much as 22 months might have been saved had the classified reports been listed right away.

The Access system does more than enough to prevent the release of timely information to the public; it doesn't need any assistance from the CSE Commissioner.

We could also use a lot more openness from CSE itself.

The Commissioner commented in the press release accompanying his annual report that "I have encouraged CSE to be more forthcoming in what it communicates to the public.”

The agency's minister, Defence Minister Sajjan, appears to share this goal, stating in his own press release that "I have directed CSE to find new opportunities to communicate with the public more openly about their activities, while still protecting sensitive information as appropriate."

The Interim Privacy Commissioner's 28 January 2014 recommendations that CSE "proactively disclose annual statistics on cases where it assists other federal agencies with requests for interception" and "produce a non-classified public report to be tabled in Parliament, as CSIS does, describing its ongoing activities and a summary of its risk assessments (violent extremism, organized crime, foreign corruption, etc.) and general policy priorities" would also be a great step, although I'm not sure that "risk assessments" as such are within the agency's purview, except in the IT Security domain.